Operation prohibited by access rules when creating

2020-07-24 06:11发布

问题:

When I try to create a new menu item to open a window in OpenERP 6.1, I get the following error:

AccessError

Operation prohibited by access rules, or performed on an already deleted document (Operation: create, Document type: ir.values).

I can always use the magic admin account that bypasses all the security checks, but I'd rather have finer control if possible. Why is this failing, and how can I allow some administrators to create menu items?

I'm particularly interested, because I want to write a module that creates menu items.

回答1:

After a bunch of digging, I found the cause of the error. There's a record rule called, "Defaults: alter personal values only." That was added in revision 3560.1.7 and merged in revision 3713. The commit comment says:

[IMP] ir.values: improve security: users can only write to their personal defaults

Administrator access is required to set defaults for everybody, as well as to alter the action bindings.

It appears intended that you should only be able to alter action bindings using the magic admin account, and changing menu items requires you to alter action bindings.

How can you work around this? Well, you can make the record rules more sophisticated. You need to restrict most users to editing their own defaults, and let the administrative users edit all records in the ir_values table. All of our users are in the Human Resources/Employee group, so I added that group to the "Defaults: alter personal values only" rule to stop it from being a global rule. Then I added a new rule for ir_values called "Defaults and actions: alter any values". I used a dummy domain filter: [(1,'=',1)] and assigned it to the Administration / Configuration group. Now most users will only match the first rule and only be able to edit their own defaults. Anyone in the configuration group will match both rules, so the rules will be combined with an OR, and they will be able to edit all records in the table. The important thing to make this work is that you need a group or set of groups that all users are a member of.